Back to articles

Video conferencing access explained: what browser extensions can really see in your meetings

Eighteen extensions harvested meeting data from 2.2 million users across Zoom, Teams, and Meet. Here's how conferencing access works and how to audit yours.

Maxim Kosterin
5 min read

Every time you join a Zoom call through Chrome, you're potentially sharing more than just your face. Koi Security researchers — whose findings were reported by BleepingComputer — found 18 browser extensions that reached 2.2 million users while silently harvesting corporate meeting data in real time. Meeting URLs with embedded passwords. Speaker bios. Company affiliations. All of it, going out over persistent WebSocket connections while users gave the extensions positive reviews.

The extensions worked. Users liked them. The surveillance ran in the background.

How extensions access your video calls

Browser extensions can't tap your microphone or camera without a separate media permission. But they can do something most users never think about: read the web page where your meeting lives.

When you join a Zoom call at app.zoom.us, open Google Meet at meet.google.com, or access Teams at teams.microsoft.com, you're visiting a webpage. Any extension with host permissions for those domains can read the full page content — including meeting IDs, embedded passwords in URLs, participant lists rendered on screen, and any metadata displayed in the interface.

This is the same DOM-access mechanism that lets extensions read email or product pages. For video conferencing, the attack surface is particularly sensitive. Meeting URLs often encode passwords directly in the link string. Anyone who captures that URL can join the call without an invitation.

The permission enabling this is typically "Read and change all your data on all websites you visit" — or a narrower declaration like *://*.zoom.us/*. Either way, once an extension can read the page, it reads everything on it.

What the 18 extensions actually collected

The "Zoom Stealer" campaign targeted 28+ conferencing platforms (Zoom, Teams, Meet, WebEx, GoToWebinar, and 23 others) and exfiltrated meeting URLs with embedded passwords, attendee names, job titles, corporate affiliations, and speaker bios — in real time over persistent WebSocket connections to Firebase instances.

For the full breakdown of the campaign, attribution, and alternatives to meeting-helper extensions, see the DarkSpectre review. This article focuses on the underlying access model that made the campaign possible — and how to audit your own browser.

When conferencing access is okay vs. when to worry

There are legitimate extensions that need access to video conferencing pages. The question is whether what an extension does with that access matches what it claims.

Probably fine:

  • Meeting transcription or note-taking tools from the conferencing platform itself
  • AI meeting assistants from established companies with published privacy policies that explicitly state processing is local or that data is not retained
  • Calendar integrations that read meeting links to populate calendar events — though these typically don't need persistent access during a live call

Worth scrutinizing:

  • Extensions with broad host permissions that don't explain any feature requiring conferencing access
  • "Audio capture," "meeting recorder," or "AI assistant" extensions you didn't consciously install for that purpose
  • Extensions updated in the last six months that you haven't reviewed since the original install — permissions can change with updates

Red flags:

  • Extensions transmitting data to domains you don't recognize during or immediately after calls
  • Any "enhancement" tool that requests both media access and broad host permissions without a clear reason for needing both
  • Extensions that can't explain why they need *.zoom.us or meet.google.com access to do their stated job

None of the 18 extensions in the Zoom Stealer campaign described automated meeting data collection in their store listings or privacy policies, according to BleepingComputer's reporting.

How to audit which extensions can access your meetings

The manual path: open chrome://extensions, click "Details" on each extension, and check "Site access." Look for entries covering "all sites" or specific conferencing domains. The catch is that <all_urls> access covers conferencing pages without naming them explicitly — so an extension listed as a "PDF editor" could have the same level of access to Zoom as a dedicated meeting tool.

A faster approach is Extenshi's extension scanner. It shows you which installed extensions have access to sensitive domains, including conferencing platforms, without requiring you to click through every extension individually.

For teams managing dozens of employee browsers, the Extenshi catalog shows permission breakdowns before installation. Reviewing an extension's access profile takes a few seconds. Discovering after the fact that 800,000 people installed a surveillance tool disguised as an audio utility takes considerably longer to recover from.

The question worth asking before your next call: which extensions currently have access to app.zoom.us? If you can't answer it off the top of your head, that's worth ten minutes to find out.

Check your extensions' permissions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles